Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Probable new MS DCOM RPC worm for Windows

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 25 Sep 2003 09:20:00 -0500
-----Original Message-----
From: Richard Johnson [mailto:rnews () whirlpool river com] 
Sent: Wednesday, September 24, 2003 10:03 AM
To: full-disclosure () lists netsys com; incidents () securityfocus com
Subject: Re: Probable new MS DCOM RPC worm for Windows 

We finally had infections occur on Tuesday evening showing the same 
scan behavior.  Sysadmins doing cleanup report Norton and McAfee IDed 
the bug as W32.Welchia.

I don't know whether it was a variant using one of the two new RPC 
holes, or just month-old Welchia. That's because the hosts hit were 
traditional non-compliant lab machines and non-adminned remote office 
or home hosts.  In other words, they were still vulnerable to the 
original blaster worm.


I'm thinking that there *has* to be a variant of Nachi/Welchia in the
wild.  We have machines that were patched for MS03-026 (verified by
scanning with multiple scanners) but not patched for MS03-039 (ditto)
and they have been infected by something that triggers my Nachi rule in
snort.  This should *not* be possible with the "original" Nachi/Welchia,
so my assumption is that either something new has been released or the
worm has mutated somehow.

Mind you, this is anecdotal and a very small incidence (only three
machines so far), but it still bears watching IMHO.  I've been surprised
to not see any discussion on the lists about a new variant.  Perhaps no
one is looking?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: